CVE-2026-32638

LOW 2.7

StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

CVSS Score

2.7

EPSS Score

0.0%

EPSS Percentile

0th

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request `rank=owner` and receive owner account records, including IDs, usernames, display names, and email addresses, even though the adjacent `getUser` endpoint correctly blocks admins from viewing owner users. This is an authorization inconsistency inside the same user-management surface. Version 0.4.4 fixes the issue.

CWE	CWE-639
Vendor	withstudiocms
Product	studiocms
Published	Mar 18, 2026
Last Updated	Mar 19, 2026

Stay Ahead of the Next One

Get instant alerts for withstudiocms studiocms

Be the first to know when new low vulnerabilities affecting withstudiocms studiocms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

withstudiocms / studiocms

< 0.4.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/withstudiocms/studiocms/security/advisories/GHSA-xvf4-ch4q-2m24 github.com: https://github.com/withstudiocms/studiocms/commit/aebe8bcb3618bb07c6753e3f5c982c1fe6adea64 github.com: https://github.com/withstudiocms/studiocms/releases/tag/[email protected]